"A high-severity unpatched security vulnerability in Gogs has come under active exploitation, with more than 700 compromised instances accessible over the internet, according to new findings from Wiz. The flaw, tracked as CVE-2025-8110 (CVSS score: 8.7), is a case of file overwrite in the file update API of the Go-based self-hosted Git service. A fix for the issue is said to be currently in the works. The company said it accidentally discovered the zero-day flaw in July 2025 while investigating a malware infection on a customer's machine."
"Wiz said the fix put in place by Gogs to resolve CVE-2024-55947 could be circumvented by taking advantage of the fact that Git (and therefore, Gogs) allows symbolic links to be used in git repositories, and those symlinks can point to files or directories outside the repository. Additionally, the Gogs API allows file modification outside of the regular Git protocol."
"As a result, this failure to account for symlinks could be exploited by an attacker to achieve arbitrary code execution through a four-step process - Create a standard git repository Commit a single symbolic link pointing to a sensitive target Use the PutContents API to write data to the symlink, causing the system to follow the link and overwrite the target file outside the repository Overwrite ".git/config" (specifically the sshCommand) to execute arbitrary commands"
A file-overwrite vulnerability in Gogs (CVE-2025-8110, CVSS 8.7) enables arbitrary code execution via improper symbolic link handling in the PutContents API. The flaw circumvents a prior patch for CVE-2024-55947 by abusing Git repository symlinks that can point outside the repository and the Gogs API's ability to modify files outside the Git protocol. Exploitation follows a four-step chain culminating in overwriting ".git/config" sshCommand to run arbitrary commands. The issue was discovered in July 2025 during a malware investigation, with more than 700 compromised instances observed and a Supershell-based payload identified. A fix is reported to be in development.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]